Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access them


  • This topic is locked This topic is locked
9 replies to this topic

#1 I_hate_trojans!

I_hate_trojans!

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 29 December 2009 - 04:36 AM

Hi

This is with regards to the closed topic

http://www.bleepingcomputer.com/forums/top...ml#entry1535293.


Very sorry for not replying earlier. Its just getting worse. I cannot access the internet at all. I have borrowed a friend's laptop for the duration.

To run RSIT I have copied the program onto my flash drive and run from there...I cannot move the program to the desktop. But it hangs. It says Running HijackThis and the progress bar is stuck at the same level for the past hour! Is this normal? Please could you help?

Many thanks!

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:08 PM

Posted 01 January 2010 - 08:28 AM

Hello I_hate_trojans!,

This infection is preventing almost every tool to be run. Please try to follow the steps below carefully and in the order given! If you encounter problems, just let me know, thats what I am here for :(

First of all, download the following files and put them on a flash drive:
Win32kdiag
Combofix
Junction.zip

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.
---------------------------------------------------------------------

You should now have a flash drive with win32kdiag.exe, junction.zip, combofix.exe and the MS Recovery Console installer package

--------------------------------------------------------------------
Now plug the flash drive in your infected computer and proceed with the steps below.


COMBOFIX
---------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image
  • Drag the setup package onto ComboFix.exe and drop it (you can do that while both files are still on your flash drive).
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

    Posted Image
  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.


At this point your desktop should be accessible, please read the following steps carefully and DO NOT leave the needed tools on your flash drive, because that will cause the steps below not to work.

----------------------------
Please save Win32kDiag.exe to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r


---------------------------
We need to scan the system with this special tool:

* Please unzip the following file:

Junction.zip

* Place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

In your next reply, please include the following:
  • Combofix.txt
  • Win32kDiag.txt
  • Junction log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 I_hate_trojans!

I_hate_trojans!
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 03 January 2010 - 03:49 PM

Hi Bleepin' Blonde!

Many thanks for your reply.

Downloaded the 4 files onto the flash drive and inserted into my computer. When I tried to drag and drop (on the flash drive), nothing happened - I can't get the icon to move. Tried this twice, in vain. Then tried the same thing with the flash drive inserted into the laptop and it came up with the following message:

E:/ComboFix.exe
The handle is invalid

Not sure what this means. Am I doing something wrong?

Thanks.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:08 PM

Posted 03 January 2010 - 04:03 PM

Hello,

Please try to re-download Combofix to make sure the file is okay. Place it on the flashdrive.

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK:

"e:\combofix.exe" "e:\<insert name of Recovery Console Installer>"

NOTE: I assume here that e:\ is the drive letter for your flash drive on your infected computer. If not, replace e:\ with the drive letter of your flash drive.

NOTE2: In the command, you need to introduce the name of the Recovery Console installer file. Usually this is quite a long filename. You can make it easier by renaming that file to something like "installer".

Let me know how this went. If you encounter any problem, just let me know.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:08 PM

Posted 10 January 2010 - 06:16 AM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 I_hate_trojans!

I_hate_trojans!
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 10 January 2010 - 04:19 PM

Hi Elise,

Yes, apologies for not replying earlier.

It seemed to work, I have log files for all 3 tools.

Combofix log attached.
WinDiag32 log attached - I had some initial problems running Combofix (user needs training :( ), so I have 2 files: a file before Combofix and one afterwards.
Junction log attached.

I can see immediately that my back door access to the internet is restored, i.e. by using iexplore.exe. However I still encounter the same message when trying to access the internet via the normal route. Also I noticed a Qoobox sub-directory in my C drive...

Thanks for your advice so far and best regards.

Attached Files



#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:08 PM

Posted 10 January 2010 - 04:31 PM

Hello I_hate_trojans!,

That was some nasty stuff. Please consider the following, and pay especially attention at the part about banking information...

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


We need to reset the permissions altered by the malware on a file.
  • Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
  • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:

    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Administrator\Desktop\RootRepeal.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\Internet Explorer\iexplore.exe"

  • If you get a security warning select Run.
  • You will get a "Finish" popup. Click OK.
  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program. Note - you might see an error message regarding Internet Explorer. Just ignore this and continue.
  • Place a checkmark in front of Fix SSL/HTTPS/CryptSvc
  • Click on go
  • Exit/Close Dial-A-Fix

Now please re-run Combofix and post me the log.

In your next reply, please include the following:
  • Combofix log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 I_hate_trojans!

I_hate_trojans!
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 11 January 2010 - 08:17 AM

Hi Elise,

Thanks for your reply.

Wow! It sounds like the safest thing to do is re-install windows, and I think I would prefer this course of action.

Question on the computer: I have a backup disk drive where I store data, no system information. Will that also be contaminated? I was hoping to re-install windows and use the data backup. Is there any way of telling if the My Documents folder on the C drive is infected?

Also I had McAfee and Windows firewall on my machine and still got infected - should I have been doing something else to prevent the attack?

Thanks again.

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:08 PM

Posted 11 January 2010 - 08:43 AM

I have a backup disk drive where I store data, no system information. Will that also be contaminated? I was hoping to re-install windows and use the data backup. Is there any way of telling if the My Documents folder on the C drive is infected?

As a rule its a good idea to scan all data before restoring it with a few scanners (mbam, eset online,....).

Its a good idea to save only personal files, like pictures or music. Do not save any executable files unless you are absolutely sure they are indeed harmless.

Also I had McAfee and Windows firewall on my machine and still got infected - should I have been doing something else to prevent the attack?

I will give you some general information about this below. Let me know if you have any questions :)


Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:08 PM

Posted 14 January 2010 - 12:57 PM

This topic is now closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users